Hi All,

I have seen on a few pre-packaged dedicated RH servers out there the ability to have ssh/ftp and email access all authenticated using a username and hostname combination such that an SSH login prompt can except the user as user@domain.com.

I'm trying to build a secure RH (8.x) environment using this method of authentication. As far as ftp and email, I know I can do this using proftpd and postfix's mysql integration; but how do they do it for SSHD?

Any links on setting up such an authentication mechanism would be greatly appreciated!

TechBrat Out.

Since nobody else has replied yet, maybe nobody else understands what you're saying either

Do you mean that you have seen something like

paranoid@home$ ssh paranoid@work.example.com
paranoid@work$ hey it worked

The paranoid@work.example.com isn't an authentication method, it's just shorthand for "login as user paranoid on host work.example.com".

The absence of the password prompt just means that ssh has been configured both at home and at work with information permitting login without password.

If this is what you want, look at the man pages for ssh-keygen, ssh-agent, and suchlike, I'll be happy to help out.

Basically you create a key with ssh-keygen, tell ssh to use it when you log on to host X, then you insert the public part of the key you created into $HOME/.ssh/authorized_keys2 on host X.

ssh-agent remembers the passwords used to protect the keys, so that you don't have to type them every time, but once you log off, even if your laptop is stolen, the keys are unusable without the password.

It's really powerful; with ssh-agent you can input your password once when you log on (or not at all if you feel secure enough to create a key that is not password-protected), and then not type it again, even when you log in to a second computer and then to a third from the second...

It is very useful for scripts, you create a key that is not password-protected, and tell the script to ssh using that key, and your script will for example do a remote backup from cron at 2AM.

Did I answer your question?

HAND

Hey,

You may be right there. I don't think it's particularly common what I want to do and I 've searched high and low on the net for articles on how to do it, but to no avail.

OK, thanks for the detailed response, but no, it doesn't answer the question.
I realise that with the client (ssh) this fully qualified user name details the username and the host. I guess what I need is the ability to map that hostname (which is on the same machine) to a passwd file in another directory.

i.e. I have a machine called bob.bobdomain.com with ip 1.2.3.4. Now this machine also hosts web sites for dan.dandomain.com and various others and they all use the same IP. All virtual hosted basically. Simple with apache.

OK, bobdomain.com has a home directory of /home/bobdomain.com/ and in that are various populated system related directories such as /bin /etc that are used when the user is chroot'ed to their home directory.

Given this, /home/bobdomain.com/etc/passwd contain entries for jenny, mary and paul such that those users can ssh into the server using jenny@bobdomain.com, be chrooted to /home/bobdomain.com and be able to access their home area as /home/bobdomain.com/home/jenny (which to them is just /home/jenny).

Phew!!

To cut a long story short, I need to be able to have virtual mapped users for ssh access (using sshd) based on their username and domain. I'm presuming this would be a special PAM module, but I haven't been able to find anything that can do it.

I hope that explains a bit further what I'm (and possibly others out there) are trying to achieve.

Ta.

TechBrat Out.

As long as you don't HAVE to have both jenny@bobdomain.com and jenny@alicedomain.com as different users, you don't have a problem, just do it.

If jenny@bobdomain.com and jenny@alicedomain.com are different users on the same machine, well, dunno. Maybe PAM will accept a username with @ in it, but that will mess up a lot of things, to begin with the ssh shorthand I mentioned earlier.

Look at MIT Kerberos a bit, ISTR some similar syntax being used.

Otherwise, either set up multiple machines, or tell the users that "your username isn't jenny anymore, it's jenny1, so there, but your e-mail is the same of course".

Yay! Glad you understand.

Yeah, the issue is that in hosting multiple domains (like an ISP) I would need to have jenny@bobdomain.com and jenny@alicedomain.com being two separate accounts.

I have seen control panel systems like ENSIM do it and after taking them to bits it recently, it appears as though they use a custom PAM plugin for the various services that map domains to another passwd file and auth from that.

Also, I think having an @ in the username would definitely break a lot of things which is why many imap/pop email systems allow you to use # instead of @ for login.

I might look at making my own PAM module for it if I can't find one anywhere and possibly investigating something using LDAP as well as Kerberos as both look like could solve the problem. Thanks for that idea.

I'm from a BSD background mainly and have only been in the RH world for about a year. When you say, put it in a virtual machine, do you mean run a separate sshd process, on each domain/ip on the machine, BSD jail style?

Looks like I may be getting my hands dirty. I'll take apart the basic unix PAM, see what comes in and see what I modify so that it can handle multiple, domain specific passwd files.

Thanks for your help.

TechBrat Out.

Just been browsing, as you do, and found this page: -

http://www.linuxgazette.com/issue42/tag/4.html

Basically, it talks about a PAM module called pam_chroot.

An interesting article and it appears as though there are incarnations of such a beast out there...just that it may need a bit of TLC to get going.

TechBrat Out.

This is roughly the same issue I am working on, however I am brand new to the subject. I am looking for the ability to give my users a single login for their e-mail, ssh, and ftp. I am hosting multiple domains and don't want to tell John Doe that he cannot have John@yyy.com becuase somebody else has John@zzz.com (which is hosted on the same machine).

It sounds like Postfix has the ability from an e-mail perspective, can sendmail handle logins that look like 'user@domain.com'?

Can somebody point me in the right direection? Thank you in advance for your help.

Merkelt,

Postfix (SMTP) is a complete replacement for sendmail (SMTP) so sendmail is actually disabled as part of installation. Postfix provides binaries to emulate the sendmail syntax. Sendmail and the standard RH Linux POP/IMAP services do not and cannot support user@domain authentication without the use of PAM modules such as that implemented by Ensim.

You can use a POP3/IMAP reader such as Courier that is integrated to use the same MySQL database and tables as postfix. Webmail systems such as Squirrelmail handle logins via user@domain as well so the email solution is easily configured for virtual hosting without the requirement for products such as Ensim or CPanel.

The main issue that I've had is with PAM authentication in the format of user@domain for SSH. FTP can be easily handled, once again with mysql database integration using proftpd. There are plenty of articles on the web documenting the procedures to do this for PostFix/Courier and ProFTPD.

Needless to say, I've been very impressed with Ensim Pro 3.5.x and it's ability to handle virtual hosting and have put my efforts toward other things rather than reinventing the wheel with chroot'ing and development of a custom PAM module.

Good Luck.

TechBrat Out.

I have been searching for the same thing. Let me know if you found a solution yet.